MALICIOUS
156
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.007 JavaScript
The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating it functions as a link farm or phishing lure. The embedded URL 'https://traffine.ru/123?utm_term=judgement+tarot+meaning+keen' is a primary indicator of this malicious intent. Although no scripts were explicitly extracted, the PDF structure and the presence of external links suggest an attempt to redirect the user to a potentially harmful site, aligning with spearphishing tactics.
Machine Learning
- Nyx PDF Classifier malicious score 0.9998
Heuristics 5
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://traffine.ru/123?utm_term=judgement+tarot+meaning+keen
- https://cdn-cms.f-static.net/uploads/4366316/normal_5f8771cc7d3a0.pdf
- https://kudizuvawemexol.weebly.com/uploads/1/3/4/3/134307781/2356275.pdf
- https://siregudak.weebly.com/uploads/1/3/0/7/130738759/1820158.pdf
- https://gevafitasib.weebly.com/uploads/1/3/1/3/131380901/c25f730.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://uploads.strikinglycdn.com/files/b4442fc2-cea2-4102-b37d-427f9f26891b/22406135645.pdf
- https://uploads.strikinglycdn.com/files/51a06633-d933-4d79-bb0e-19748f572018/80801536641.pdf
- https://uploads.strikinglycdn.com/files/958adbbf-ed4f-4acf-9e9b-49f2f808f03a/72354679923.pdf
- https://uploads.strikinglycdn.com/files/7f4b8517-543c-4f87-8b8a-fe1e559d971b/pride_of_iowa_butter.pdf
- https://uploads.strikinglycdn.com/files/bbd46836-811e-4a44-b55b-16ac8be7733c/votelu.pdf
- https://uploads.strikinglycdn.com/files/22422510-6df4-4405-9e4d-39c7aaba7a5f/el_psicoanalisis_despues_de_freud.pdf
- https://uploads.strikinglycdn.com/files/b40e1e5d-a931-4666-91db-e0217ca372e4/la_deidad_de_cristo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000d444.bin181438ee7509a8fecc38117f76e35efa97c981bbc47525fe963e5223b03266c0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xD444 | 4988 bytes |
font_01_sfnt_off0000e528.bincd20c4c1d4137996914c81dca55187772d8f56cddb81737ccf59a3e0b7485fee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE528 | 10272 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.